Securing ColdFusion 10

Similar Messages

• A simple app to secure coldfusion pages - Running into an issue with Session

  Hello, I am testing out how to protect pages in coldfusion and have run into an issue when attempting to create a process by which users can log out.
  Essentially, I have three pages:
  Page A - The form that submits to Page B
  Page B - That checks the form.username and form.password against a database (works fine)
  Page C - Logout page (Which is where I am having an issue).
  Page C throws a "variable Session is undefined" error
  Here is the code on Page C:
  <cfset StructClear(Session)>
  <cflocation url="index.cfm">
  Here is the code on Page B:
  <cfif NOT IsDefined ("form.username")>
  <cflocation url="index.cfm" addtoken="No">
  </cfif>
  <cfquery name="test" datasource="cfdb">
  SELECT * FROM USERS
  WHERE USERNAME = '#FORM.username#'
  AND PASSWORD = '#FORM.password#'
  </cfquery>
  <!---<CFSET Session.LoggedIn = "1">
  <CFSET Session.FirstName = "#test.FirstName#">--->
  <CFIF test.RecordCount IS 0>
  <cflocation url="index.cfm" addtoken="No">
  <CFSET StructClear(Session)>
  <cfelse>
  <CFSET Session.LoggedIn = "1">
  <!---<cflocation url="test.cfm" addtoken="No">--->
  </cfif>
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Untitled Document</title>
  </head>
  <body>
  <p><a href="logout.cfm">Log Out</a></p>
  <p> </p>
  <p> </p>
  <p><br>
    This content is protected.
  </p>
  </body>
  </html>
  As you can see, nothing fancy
  Now, I thought that the Session variable could be accessed by any page within a given browser instance, but I am obviously wrong.
  What do I need to do for Page C (my logout page to be able to access the session variable).
  Any guidance is greatly appreciated!

  1.
  “Variable Session is undefined” error comes up when you try to manipulate a session variable which does not exist, as at that point in time. To take care of possible empty session structures, it is good practice to check first if your session is defined.
  So you will have something like:
  <cfif isDefined("session")>
  <cfset StructClear(Session) />
  <cfelse>
  <cflocation url="index.cfm">
  </cfif>
  2.
  To enable you access your session variables from any page in your application, you need to enable session management in your Application.cfm or Application.cfc.
  cfm   <cfapplication sessionmanagement="Yes" />
  cfc        <cfcomponent>
  <cfset THIS.SessionManagement = "Yes" />
  </cfcomponent>
  Reference…http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24 -7c48.html

• Locking down coldfusion for security threats

  Hi,
  We were looking to lockdown our coldfusion server from outside threats and have lookd at multiple forums for it. Most of them were referring to run coldfusion under an unprivileged user account (other than administrator).
  Has anyone done similar kind of configuration before as we haven't got any clue how to do this. We will appreciate if someone could write down all the steps to do it.
  Thanks
  Steve Jordan
  http://hyve.com

  Depending on the version you are running, Adobe has lockdown guides for securing ColdFusion.
  ColdFusion 10: http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guid e.pdf
  ColdFusion 9: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/910 25512-cf9-lockdownguide-wp-ue.pdf
  They were written for Adobe by Pete Freitag of Foundeo.  Pete is a ColdFusion security guru.
  -Carl

• Performance tuning & Securing MX 7 on IIS 6

  I never had much at all to do with Coldfusion and have just been asked to look into making some security and performance suggestions for a small Windows 2003/IIS 6 server farm using Coldfusion MX 7.
  This is what I was planning;
  Configure all IIS websites to use a seperate IIS application pool (security)
  Configure all IIS websites to use a seperate windows user account for authentication (security)
  Configure IIS content expiration (performance)
  Configure IIS file compression and static file caching (performance)
  Use 3rd party anti leech tool (security/performance)
  Problem is although I am familiar enough with IIS, I don't really have a good understanding of how Coldfusion MX 7 hangs together. From what I've read to date (which is pretty limited) it appears as if Coldfusion doesn't use IIS for much more than serving HTTP requests. Is this an accurate summation?
  If so, then how does Coldfusion interact with IIS? Particularity in relation to the points I mentioned above? I read a guide on securing Coldfusion MX 7 on IIS from the Adobe website and it makes no mention of doing the segregation I listed above, and one of my colleagues told me that Coldfusion doesn't even use IIS application pools or worker processes (not sure how this would even be possible) and handles content compression and caching itself as well as security.
  Basically, any pointers/advice on how Coldfusion MX 7 interacts with IIS 6 and if the points I made are valid in an IIS/Coldfusion environment would be greatly appreciated.
  Cheers!

  Distributed Mode is what you are after.
  http://www.adobe.com/support/coldfusion/administration/cfmx_in_distributed_mode/
  Although written a few years ago, it'll still point you in
  the right direction.
  Andy

• Security bulletin manual updates for CF v8.0.1

  I have a couple of questions in the regard.
  1) Do all the bulletins apply to 8.0.1 on this page? http://www.adobe.com/support/security/#coldfusion
  2) If so, can I manually apply the patches by copying said .jar files to the cf_root/lib/updates folder as opposed to using the administrator to do so? And, if not, is there any way to apply the patches without the administrator? I would like to script the update as we have a process for silently installing CF and I would like to include the updates in that process automatically.

  Firefox Portable support is over here:
  http://portableapps.com/forums/support/firefox_portable

• CAn't browse CFM files in IIS5

  Deall all,
  I have w2k server running IIS5. I installed coldfusion 5.0 .
  HAve run the "web server configuration tool" and add the webserver.
  Still i cann't go to the administrator/index.cfm page. When i
  point the browser to that page, it comes up with a login scrren
  with username and passowrd and domain.
  I tried to view a test.cfm file from another pc, again i get
  that same userid and password screen.
  Please help ME.

  Check this TN and see if it helps:
  ColdFusion
  TechNote : Securing ColdFusion pages through IIS
  Also double-check the user you have running IIS, make sure
  anonymous access is allowed.
  HTH;
  &laz;

• Cold Fusion 9 patch question

  Hi,
  Is there a way to find the location of Cold Fusion 9 patches?
  I found this URL: http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9
  Also, is there a way of determining what patches are missing for the Cold Fusion 9 installation?
  Currently, have Version: 9,0,1,274733 and Adobe Driver Version: 4.0 (Build 0005)  
  Does the Cold Fusion patches include any Java necessary updates?
  Java Version: 1.6.0_17  
  Thanks,
  Mike

  Hello userCold9
  Is there a way to find the location of Cold Fusion 9 patches?
  I found this URL: http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9
  Here are the link to patches:-
  http://www.adobe.com/support/security/#coldfusion
  If you go to the details of every patch, it would give you the information about the version number. Which would in turn, help you to locate the patch installed on your system.
  Regards,
  Anit Kumar

• Coldfusion back-end, AngularJS front-end, and Security

  The company I work for is building an application in which security is of the utmost importance.  We're really hoping to use Angular as the client-side application, and we're exploring how best to create our back-end in ColdFusion (which we've used for a few years now).
  I understand that only so much security can exist in the front-end of the app, and that the bulk of the work needs to happen on the server.  But I'm really unsure about how to move forward in that regard.  From what I've read, it sounds like we'll need some kind of Authentication Token to be created on login and stored on the backend.  This token should come along with every http request, and the server can then decide on the validity of the request.
  Does this sound about right?  And if so, are there best practices for implementing it?
  Any resources that might shed more light on the topic would be HUGELY appreciated.
  Thanks,
  Jonathan

  maheshguruswamy wrote:
  mycoffee wrote:
  maheshguruswamy wrote:
  847102 wrote:
  More and more teams in my company are now mixing technologies. For example they use java for the back end and C# for all the client side code i.e GUI.
  How can you mix these technologies. Ie how can c# code "talk" to java code?
  Not sure if this is the best place to ask, as its a java forum but I though I would give it a try!
  ThanksSimplest way would be to use web services.It is new thing for me to learn...
  How efficient to do it compared to all in one either C# or java? I guess it would be slower.
  Either C# or java can handle the job. Why both? I don't get it.It all depends on how big the teams are and how much "separation of concerns" you are looking for. In enterprise architecture what i aim to do is try to give the development groups freedom to use whatever technology they feel best suits their need...BUT...if they want to talk to other systems and vice versa, they have to follow certain standards (SOAP, REST etc). Architect the lines, not the boxes. If you are not looking for separation of concerns, sure build out everything in one technology..but keep it mind future changes.Thank,
  It is good thing to learn. I used to work with java front end calling Cobol back end (using transactions)
  I know C# and java can talk by SOAP or web services but only wondered about the reason.
  If I am going to design everything new, one technology is the answer.

• Coldfusion 8 & WS-Security

  Does coldfusion support the implementation of WS-Security? I
  am running Coldfusion 8 Enterprise Edition as a stand alone server.
  I am trying to consume a web service that is written in java on an
  IBM web sphere server. Can coldfusion consume this web service and
  pass in the required WS-Security elements?
  Also, is the reverse achievable... Can I create a web service
  that implements WS-Security on a coldfusion server?

  swoodrich wrote:
  > Does coldfusion support the implementation of
  WS-Security? I am running
  > Coldfusion 8 Enterprise Edition as a stand alone server.
  I am trying to
  > consume a web service that is written in java on an IBM
  web sphere server. Can
  > coldfusion consume this web service and pass in the
  required WS-Security
  > elements?
  >
  > Also, is the reverse achievable... Can I create a web
  service that implements
  > WS-Security on a coldfusion server?
  As far as I know CF cannot consume or produce WS-Security.
  I've consumed
  a .net security enabled web service using raw XML. I think
  it's much
  harder to produce ws-security in CF (you're still going to do
  it raw
  just that it's harder).
  Mack

• ColdFusion failed security in invoking a WebSphere web service

  Hello,
  I tried to call a web service hosted in a IBM WebSphere
  server, but could not pass WebSphere's security framework. After
  some talking with the guys in the WebSphere side, I'm not sure
  whether this is possible in ColdFusion because they ask for a
  <wsse:UsernameToken> in the SOAP envelope header. We did some
  testing, and they confirmed that ColdFusion could talk to the web
  service, by could not pass security validation. Would someone help
  me here? Must it be done in Java?
  Here is my calling syntax in ColdFusion:
  <cfinvoke webservice="https://WebServiceURL?wsdl"
  method="myMethod" username="myUserName" password="myPassword"
  returnVariable="ReturnCode">
  <cfinvokeargument name="ParaName"
  value="ParameterValue">
  </cfinvoke>
  The web service is locked down, so the calling client must
  issue a SOAP message containing VALID security extensions:
  <soapenv:Envelope
  xmlns:soapenv="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:ws="
  http://somedomain"
  xmlns:wsse="
  http://schemas.xmlsoap.org/ws/2002/07/secext">
  <soapenv:Header>
  <wsse:Security>
  <wsse:UsernameToken>
  <wsse:Username>myUserName</wsse:Username>
  <wsse:Password>myPassword</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
  ... REMOVED as this depends on your individual SOAP service
  </soapenv:Body>
  </soapenv:Envelope>
  The guys at WebSphere said that my ColdFusion SOAP call
  probably did not have the envelope security header. IIs there a way
  to capture the underlying actual SOAP call format? Here is the
  error msg:
  AxisFault
  faultCode: {
  http://schemas.xmlsoap.org/ws/2003/06/secext}FailedAuthentication
  faultSubcode:
  faultString: WSEC5075E: No security token found which
  satisfies any one of AuthMethods.
  faultActor:
  faultNode:
  faultDetail:
  http://xml.apache.org/axis/}stackTrace:WSEC5075E:
  No security token found which satisfies any one of AuthMethods.
  at
  org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
  at org.apache.axis
  Larry

  Sadly, byrning's reply ended with just "how to use CF with stupid WSSE security", which leads readers to wonder if he meant to share more. For instance, was that supposed to be a link to a blog entry?
  I did some digging, and I found an old google cache of another version of this forum, and it showed that he had included the following code, which somehow never made it into the message here:
  <cfset myUsername = "yourUsername" />
  <cfset myPassword = "yourPassword" />
  <cfset myDate = DateFormat(DateConvert("local2Utc", now()),
  "yyyy-mm-ddThh:mm:ssZ")>
  <cfset myNonce = createPIN(33)> <!--- this is just a random alpha numeric
  string 33 chars long - got the function at cflib.org --->
  <cfset myPasswordDigest = ToBase64(Hash(myNonce & myDate & myPassword ))>
  <cfscript>
          myObj = createObject("webservice", "http://urltoYourService?wsdl");
          headerElement = createObject("java",
  "org.apache.axis.message.SOAPHeaderElement");
          headerElement.init("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
  ecurity-secext-1.0.xsd", "wsse:Security");
          headerElement.addChildElement("wsse:UsernameToken");
          headerElement.getFirstChild().addChildElement("wsse:Username").setValue(myUsern
  ame);
          mypass = headerElement.getFirstChild().addChildElement("wsse:Password");
          mypass.setValue(myPasswordDigest);
          mypass.setAttribute("Type", "wsse:PasswordDigest");
          headerElement.getFirstChild().addChildElement("wsse:Nonce").setValue(
  ToBase64(Hash(myNonce, "SHA")) );
          myCreated = headerElement.getFirstChild().addChildElement("wsu:Created");
          myCreated.setValue(myDate);
          myCreated.setAttribute("xmlns:wsu",
  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-ut....
  xsd");
          headerElement.setMustUnderstand(1);
          headerElement.setActor("");
          myObj.setHeader(headerElement);
          result = myObj.methodtoCall(param1="yadda", param2="yadda")
  </cfscript>    

• Does coldfusion 8 support the implementation of WS-Security ?

  Does coldfusion support the implementation of WS-Security? We are  running Coldfusion 8 Enterprise Edition .We are trying to consume a web  service that is written in java on an IBM web sphere server. Can  coldfusion 8 consume this web service and pass in the required  WS-Security elements?
  Requirement : To consume a Webservice developed in java from coldfusion using WS-Secuirty mode .
  Environment used : Windows 2003, IIS 6, Coldfusion 8, SQl server  2005
  While trying to consume a public webservice through coldfusion , We received unable to read WSDL file and Unknown host exception error.
  Hence,  we are using <cfhttp to consume webservices.
  Can  you please advise how we can consume webservice using WS-Secuirty  (SHA-1)?

  swoodrich wrote:
  > Does coldfusion support the implementation of
  WS-Security? I am running
  > Coldfusion 8 Enterprise Edition as a stand alone server.
  I am trying to
  > consume a web service that is written in java on an IBM
  web sphere server. Can
  > coldfusion consume this web service and pass in the
  required WS-Security
  > elements?
  >
  > Also, is the reverse achievable... Can I create a web
  service that implements
  > WS-Security on a coldfusion server?
  As far as I know CF cannot consume or produce WS-Security.
  I've consumed
  a .net security enabled web service using raw XML. I think
  it's much
  harder to produce ws-security in CF (you're still going to do
  it raw
  just that it's harder).
  Mack

• Consume a webservice developed in other than coldfusion  in WS-Security mode

  1. What are the prerequisites (any software installation, configuration) to be considered ?
  Requirement : To consume a Webservice developed in other than coldfusion in WS-Secuirty mode .
  Environment used : Windows 2003, IIS 6, Coldfusion 8, SQl server 2005
  2. While trying to consume a public webservice through coldfusion , We received unable to read WSDL file and Unknown host exception error.Can you please advise. why we are receiving this error and solution ?

  Thanks Dan Bracuk, for your reply.
  What I could understand from Sivakarthikeyan post is that
  Point 1)
  It is mentioned that they are going to consume external webservices for which he would like to know whether any software/configuration is required to implement WS-Security (In IIS or coldfusion administrator)?
  Point 2)
  It could be a correct URL that he is using, from his description (2nd step) he gets a error message as "Unable to read WSDL file". If it of incorrect URL then he would have received file not found or other error message.
  Can you please or anyone clarify?
  Thanks,
  Satheesh

• Coldfusion secure FTP & digital certificates

  Hello !
  I am currently in the process of developing a corporate CF intranet site that is behind a corporate firewall and part of the application will need to send a data file (FTP put) to a remote FTP server using secured FTP (FTPS). I have never used Coldfusion before for either secured or unsecured FTP.  I am planning on using the CFFTP tag to open the connection and send the data file but I have a number of other questions regarding the use & installation of the digital certificates.:
  Current development environment setup:
  CF version 9 standard edition running on Windows Server 2008 R2
  Microsoft IIS 7
  Current production environment setup:
  CF version 9  enterprise edition running on Windows Server 2008 R2
  Microsoft IIS 7
  1.  The data file that is being created must be sent to a finanacial institution and they will be providing a digital certificate (p12 format) to me.  What do I do with that certificate once I get it ?  I have installed SSL certificates before on http web sites with IIS without any issues but I am not sure what to do with the certificate for secured FTP.  Do I import the certificate into IIS using the MMC snap on or does the certificate need to be integrated into Coldfusion in some other way and if so, what needs to be done ?
  2.  What other steps need to be prior to being able to use the CFFTP tag for a secured FTP send ?
  I would appreciate as much help as possible as I haven't used CF for FTP before.
  Thank you.

  Dave,
  Thank you for answering.
  1.  I have imported the certificate into the cacerts file by using the following command:
       keytool -import -keystore ../lib/security/cacerts -alias x  -file c:\downloads\y
       where x was the alias name I assigned and y was the certificate name (extension of 'der').
  I tried importing a p12 and p7b certificate but neither of those worked.  I received the message 'Not a valid X.509 Certificate' from the command.  I then successfully imported a Base64 certificate (der).  I believe the certificate has been successfully imported because I ran the following and it shows the MD5 fingerprint:
       keytool -list -alias x -keystore ../lib/security/cacerts
       where x is my alias name I assigned in the original import
  2.  I then ran the following CFM command replacing the '*'s with the appropriate server name, user name, and password
       <cfftp action="open" connection="conn1" secure="yes" server="********" username="******" password="*****" port="21"
       </cfftp>
       I am getting the CF error
  An error occurred while establishing an sFTP connection.
  Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: User Authentication failed.
  Any suggestions or help would be appreciated.
  Thank you.

• Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  So, Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2?
  In the Security Bulleting it reads like it does:
  Summary
  Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
  source: http://www.adobe.com/support/security/bulletins/apsb10-11.html
  However, there are no solutions in the technote:
  Issue
  Note: This technote and the attachments have been updated on 05/13/2010. All ColdFusion users should review the technote again. An issue when this security fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1 has been identified and resolved. The issue was caused by a naming conflict.
  ColdFusion 9.0, 8.0.1 and 8.0 are affected with the issue mentioned in the security bulletin APSB10-11. This technote provides fixes for the security issues along with the installation instructions.
  source: http://kb2.adobe.com/cps/841/cpsid_84102.html
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  Thank you any help will be benifitial.

  I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
  I have had phone support from them, and they were quite helpful.  Do you mean they don't do free phone support?  No, they don't.
  I cannot believe they suggested you raise an issue on the forum.  That's just sh!t.  There's no other way of describing that.
  Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
  http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
  Only for "Extended support", whatever that is.
  [searches]
  Hmmm... http://www.adobe.com/support/programs/policies/terms_customer.html:
  Extended Support. If version of software held by Customer at time of renewal has been end-of-lifed during the next renewal term, Customer may renew to Extended Support, provided that Extended Support is available for such software version.  Information about Software that has been or soon will be end-of-lifed and Extended Support availability dates by product version are published at www.adobe.com/support. If Customer elects to purchase Extended Support, the Annual Support Fee shall be twenty-five (25%) percent of the license fee paid for the Software (if such fee cannot be established, the percentage would be based on the then-current list price of the license fee for the Software), however in no event shall the amount be less than the last renewal prior to renewing under Extended Support.
  If extended support is renewed, the renewal fee would be the Annual Support Fee paid for the prior year increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date. Should Customer upgrade to the next major version of the Software (e.g., upgrade from 4.0 to 5.0), the Annual Support Fee for the upgraded version shall be the lesser of twenty percent (20%) of the then current list price of the license fee for such upgraded version, or the Annual Support Fee for the last renewal prior to renewing under Extended Support increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date.
  So there you go.  It's something you'd have to be paying for anyhow, and my reading of that is that it's too late to get it now anyhow.
  I think this will also mean that you're definitely out of luck in regards to any sort of patching going on for CFMX7.
  Adam

• Coldfusion error - security?!?

  Hello,
  I recently purchased hosting and am trying to get my website
  online. I'm using coldfusion on my website, but I am getting an
  error.
  This is my code to load the header and footers from a .cfm
  file...
  <body>
  <table width="72%" border="0" cellpadding="0"
  cellspacing="0">
  <tr>
  <td colspan="2"><cfinclude
  template="/includes/inc_header.cfm"></td>
  </tr>
  <tr>
  <td width="78%">Info goes here </td>
  <td width="22%">something goes here.... </td>
  </tr>
  <tr>
  <td height="38" colspan="2"><cfinclude
  template="/includes/inc_footer.cfm"></td>
  </tr>
  </table>
  </body>
  And here is the error I am getting....
  The web site you are accessing has experienced an unexpected
  error.
  Please contact the website administrator.
  The following information is meant for the website developer
  for debugging purposes.
  Error Occurred While Processing Request
  Security: The requested template has been denied access to
  /var/chroot/home/content/r/n/p/rnpodsia/html/includes/inc_header.cfm.
  The following is the internal exception message: access
  denied (java.io.FilePermission
  /var/chroot/home/content/r/n/p/rnpodsia/html/includes/inc_header.cfm
  execute)
  The error occurred in
  /var/chroot/home/content/r/n/p/rnpodsia/html/test.cfm: line 10
  8 : <table width="72%" border="0" cellpadding="0"
  cellspacing="0">
  9 : <tr>
  10 : <td colspan="2"><cfinclude
  template="/includes/inc_header.cfm"></td>
  11 : </tr>
  12 : <tr>
  you can also go to www.vividcomp.com/test.cfm
  If anybody has a answer or a solution that would be greatly
  appreciated because I am not quite sure where I went wrong... And
  my hosting is from godaddy.com and I purchased the coldfusion
  language support.... Thank you for your time.
  -Ricky

  Hey,
  I have set all my persmissons, they are set to 755... which
  means that everything is checked except the Write for user/group
  and everyone.
  Here is my code for my inc_header....
  <script type="text/JavaScript">
  <!--
  function MM_swapImgRestore() { //v3.0
  var i,x,a=document.MM_sr;
  for(i=0;a&&i<a.length&&(x=a
  )&&x.oSrc;i++) x.src=x.oSrc;
  function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new
  Array();
  var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0;
  i<a.length; i++)
  if (a.indexOf("#")!=0){ d.MM_p[j]=new Image;
  d.MM_p[j++].src=a
  function MM_findObj(n, d) { //v4.01
  var p,i,x; if(!d) d=document;
  if((p=n.indexOf("?"))>0&&parent.frames.length) {
  d=parent.frames[n.substring(p+1)].document;
  n=n.substring(0,p);}
  if(!(x=d[n])&&d.all) x=d.all[n]; for
  (i=0;!x&&i<d.forms.length;i++) x=d.forms[n];
  for(i=0;!x&&d.layers&&i<d.layers.length;i++)
  x=MM_findObj(n,d.layers
  .document);
  if(!x && d.getElementById) x=d.getElementById(n);
  return x;
  function MM_swapImage() { //v3.0
  var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new
  Array; for(i=0;i<(a.length-2);i+=3)
  if ((x=MM_findObj(a))!=null){document.MM_sr[j++]=x;
  if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
  //-->
  </script>
  <body
  onLoad="MM_preloadImages('/images/home_rollover.gif','/images/about_rollover.gif','/image s/services_roll.gif','/images/portfolio_roll.gif','/images/contact_roll.gif')"><table
  width="72%" border="0" cellpadding="0" cellspacing="0">
  <tr>
  <td><img src="/images/header_topleft.gif"
  width="308" height="18"></td>
  <td><img src="/images/header_topright.gif"
  width="432" height="18"></td>
  </tr>
  <tr>
  <td width="31%"><img
  src="/images/header_bannerlefttop.gif" width="308"
  height="57"></td>
  <td><img src="/images/header_right.gif" width="432"
  height="57"></td>
  </tr>
  <tr>
  <td width="31%"><img
  src="/images/header_bannerleftbottom.gif" width="308"
  height="25"></td>
  <td height="27"><a href="#"
  onMouseOut="MM_swapImgRestore()"
  onMouseOver="MM_swapImage('Image4','','/images/home_rollover.gif',1)"><img
  src="/images/home.gif" name="Image4" width="84" height="25"
  border="0"></a><a href="#"
  onMouseOut="MM_swapImgRestore()"
  onMouseOver="MM_swapImage('Image5','','/images/about_rollover.gif',1)"><img
  src="/images/about.gif" name="Image5" width="84" height="25"
  border="0"></a><a href="#"
  onMouseOut="MM_swapImgRestore()"
  onMouseOver="MM_swapImage('Image6','','/images/services_roll.gif',1)"><img
  src="/images/services.gif" name="Image6" width="84" height="25"
  border="0"></a><a href="#"
  onMouseOut="MM_swapImgRestore()"
  onMouseOver="MM_swapImage('Image7','','/images/portfolio_roll.gif',1)"><img
  src="/images/portfolio.gif" name="Image7" width="84" height="25"
  border="0"></a><a href="#"
  onMouseOut="MM_swapImgRestore()"
  onMouseOver="MM_swapImage('Image8','','/images/contact_roll.gif',1)"><img
  src="/images/contact.gif" name="Image8" width="95" height="25"
  border="0"></a></td>
  </tr>
  </table>
  Still confused on why this is happening... any help would be
  great!! thanks!
  -Ricky